Managing roles
Roles are used to specify what actions a user can perform. Roles are assigned to a user (or group, in which case they are inherited by all users in that group). A user or group can have more than one role, in which case they are able to perform any action that at least one of their roles allows.
At least one user must have the admin role, since otherwise any action that requires the admin role (such as creating role assignments) would never be possible. When PowerVC is installed, root is initially assigned the admin role. It is recommended that you assign the admin role to another user (or group) and then remove the admin role assignment from root.
To work with user and group roles, from the Configuration page, click Users and Groups. Only role assignments specific to a project are supported.
Standard roles
These are the commonly assigned roles.
- Administrator (admin)
- Users with this role can perform all tasks and have access to all resources.
Only
administrators on the
ibm-default
project can list, create, and delete projects. Also, the admin user ofibm-default
project can set the image visibility of PowerVC images from private to public. Project administrators can create deploy templates using these public or shared images. - Administrator assistant (admin_assist)
- Users with this role can perform create and edit tasks but do not have privileges to perform
remove or delete operations (for example, delete a virtual machine or a volume, or remove a host or
a network, etc.). However, these users can perform all virtual machine, image, and volume lifecycle
operations except
Delete
. Theadmin_assist
users ofibm-default
project can set the image visibility of PowerVC images from private to public.
Advanced roles
- If a user needs to write automation to deploy virtual machines, but does not need
to perform any other tasks, assign that user
Deployer
. - If a user needs to deploy and manage their own virtual machines, but the user does not need to
work with images, storage, or perform infrastructure tasks, such as registering hosts, assign that
user
Virtual machine manager
. - If a user needs to deploy and manage virtual machines but also needs to capture and manage
images, assign the user both
Virtual machine manager
andImage manager
. - If a user needs to work with storage volumes and nothing else, assign that user
Storage manager
. - If a user needs to manage virtual machines that others have created, assign that user
Virtual machine manager
.
- Deployer (deployer)
- Users with this role can perform the following tasks:
- Deploying a virtual machine from an image
- Viewing all resources except users and groups
- Image manager (image_manager)
- Users with this role can perform the following tasks:
- Creating, capturing, importing, or deleting an image
- Editing description of an image
- Viewing all resources except users and groups
- Storage manager (storage_manager)
- Users with this role can perform the following tasks:
- Creating, deleting, or resizing a volume
- Viewing all resources except users and groups
- Viewer (viewer)
- Users with this role can view resources and the properties of resources, but can perform no tasks. They cannot view users and groups.
- Virtual machine manager (vm_manager)
- Users with this role can perform the following tasks:
- Deploying a virtual machine from an image
- Deleting, resizing, starting, stopping, or restarting a virtual machine
- Attaching or detaching volume
- Attaching or detaching network interface
- Editing details of a deployed virtual machine
- Viewing all resources except users and groups
- Creating, attaching, detaching, and deleting floating IP addresses
- Virtual machine user (vm_user)
- Users with this role can perform the following tasks:
- Starting, stopping, or restarting a virtual machine
- Viewing all resources except users and groups